MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
The file contains multiple Excel 4.0 macro sheets, a critical heuristic firing. The ClamAV detection explicitly names this as 'Xls.Downloader.Emotet-OOXML_XL'. The macros appear to be responsible for downloading and executing a second-stage payload, evidenced by the use of functions like 'URLDownloadToFileA' and 'regsvr32'. Reconstructed paths like 'C:\Imchtria\Nitubsrta\Mibyense.OOOOOCCCCXXXXX' suggest the location where the payload might be saved.
Heuristics 2
-
Excel 4.0 macro sheet (3 sheet(s)) critical OOXML_XLM_MACROSHEETSpreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
-
ClamAV: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Emotet-OOXML_XL-af43432fbcb8603c-9980048-0
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
emf_00.emfb6669e45418c7f93a15484158dd17e2bf426ac6b736656272c23ee9899213e89 |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 1056300 bytes |
xlm_sheet_00.bin63d7921ffb68d3277fd08b0dcc5be99532618a39559d10c825773383710a24a7 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet1.bin | 556 bytes |
xlm_sheet_01.binc9b1b95df51dde628c9eacbfce3281709eee164e8197687761a2726194eabe16 |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet2.bin | 2903 bytes |
xlm_sheet_02.bind4e27898a268d9074b6f46267fd1a4809de4f088af0ad9d9f4bf9fb6b764b87b |
xlm-macrosheet | OOXML XLM macro sheet: xl/macrosheets/sheet3.bin | 1381 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.